Remote code execution vulnerability due to arbitrary file creation.

youseries / ureport

UReport2 is a high-performance pure Java report engine based on Spring architecture, where complex Chinese-style statements and reports can be prepared by iterating over cells.

Apache License 2.0

2.04k stars 837 forks source link

Remote code execution vulnerability due to arbitrary file creation. #485

Open T3qui1a opened 4 years ago

T3qui1a commented 4 years ago

We find the stored part of this file by searching the key functions.

View calls in this section

Network truncation of parameter transfer in this part.

Try to modify to JSP webshell.

The error reported here is an error occurred during XML parsing, but the file has been written into the server.

Find this directory.

Of course, this directory can't access JSP. Try to cross directory with relative path.

Successfully cross directory and get webshell.

126wss commented 1 year ago

the key functions are in ureport2-core/src/main/java/com/bstek/ureport/provider/report/ReportProvider.java or ureport2-core/src/main/java/com/bstek/ureport/provider/report/classpath/ClasspathReportProvider.java or ureport2-core/src/main/java/com/bstek/ureport/provider/report/file/FileReportProvider.java ? we want to reproduce this vul as well